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Abstract 

The  hidden  weighted  bit  function  (HWBF),  introduced  by  R.  Bryant  in  IEEE  Trans. 
Comp.  40  and  revisited  by  D.  Knuth  in  Vol.  4  of  The  Art  of  Computer  Programming,  is 
a  function  that  seems  to  be  the  simplest  one  with  exponential  Binary  Decision  Diagram 
(BDD)  size.  This  property  is  interesting  from  a  cryptographic  viewpoint  since  BDD- 
based  attacks  are  receiving  more  attention  in  the  cryptographic  community.  But,  to  be 
usable  in  stream  ciphers,  the  functions  must  also  satisfy  all  the  other  main  criteria.  In 
this  paper,  we  investigate  the  cryptographic  properties  of  the  HWBF  and  prove  that  it 
is  balanced,  with  optimum  algebraic  degree  and  satisfies  the  strict  avalanche  criterion. 
We  calculate  its  exact  nonlinearity  and  give  a  lower  bound  on  its  algebraic  immunity. 
Moreover,  we  investigate  its  normality  and  its  resistance  against  fast  algebraic  attacks. 
The  HWBF  is  simple,  can  be  implemented  efficiently,  has  a  high  BDD  size  and  rather 
good  cryptographic  properties,  if  we  take  into  account  that  its  number  of  variables  can  be 
much  larger  than  for  other  functions  with  the  same  implementation  efficiency.  Therefore, 
the  HWBF  is  a  good  candidate  for  being  used  in  real  ciphers.  Indeed,  contrary  to  the 
case  of  symmetric  functions,  which  allow  such  fast  implementation  but  also  offer  to  the 
attacker  some  specific  possibilities  due  to  their  symmetry,  its  structure  is  not  suspected 
to  be  related  to  such  dedicated  attacks. 
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1.  Introduction 

To  resist  the  main  known  attacks,  Boolean  functions  used  in  stream  ciphers  should 
have  good  cryptographic  properties:  balancedness,  high  algebraic  degree,  high  algebraic 
immunity,  high  nonlinearity  and  good  immunity  to  fast  algebraic  attacks.  Up  to  now, 
many  classes  of  Boolean  functions  with  high  algebraic  immunity  have  been  introduced  [1, 
5,  6,  7,  8,  13,  14,  22,  23,  28,  29,  30,  31,  36,  37,  38,  41,  42,  43].  However,  most  of  them 
do  not  satisfy  all  the  necessary  criteria  and  the  few  classes  which  do  satisfy,  are  not 
very  efficiently  implementable;  moreover,  none  of  the  papers  studying  these  classes  took 
BDD-based  attacks  into  consideration. 
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BDD-based  attacks  were  first  introduced  by  Krause  in  2002  [20].  They  might  be 
efficient  against  LFSR-based  generators  [20,  21,  34,  35].  To  resist  BDD-based  attacks,  a 
Boolean  function  should  have  a  high  BDD  size. 

The  hidden  weighted  bit  function  (HWBF)  was  proposed  by  Bryant  [2].  It  is  an  easily 
defined  function  that  has  an  exponential  BDD  size,  but  has  a  VLSI  implementation  with 
low  area-time  complexity  [2].  In  [19],  Knuth  reproved  Bryant’s  theorem  stating  that  the 
HWBF  has  a  large  BDD  size,  regardless  of  how  one  reorders  its  variables.  Therefore,  the 
HWBF  can  resist  BDD-based  attacks  and  could  be  implemented  efficiently.  However, 
many  other  cryptographic  properties  of  the  HWBF  were  still  unknown. 

In  this  paper,  we  investigate  the  important  cryptographic  properties  of  this  function 
and  show  that  it  is  balanced,  with  optimum  algebraic  degree  and  satisfies  the  strict 
avalanche  criterion.  We  calculate  exactly  its  nonlinearity  and  give  a  lower  bound  on  its 
algebraic  immunity.  These  two  parameters  are  not  at  an  optimal  level  (but  they  are 
not  low  either).  The  function  would  then  not  be  a  good  choice  as  a  filter  function  (in  a 
stream  cipher)  if  it  was  implemented  with  a  number  of  variables  which  is  usual  for  other 
functions  such  as  the  Carlet-Feng  function  [7]  (say,  between  16  and  20  variables).  But  its 
very  simple  structure  allows  using  it  with  many  more  variables  (at  least  twice)  and  then 
the  values  of  the  nonlinearity  and  of  the  algebraic  immunity  allow  good  resistance  to  the 
main  attacks  while  the  function  has  still  a  much  faster  hardware  implementation,  which 
allows  the  stream  cipher  to  be  in  the  same  time  robust  against  the  main  known  attacks 
and  fast.  This  is  also  the  case  of  some  symmetric  functions  (whose  output  depend  only  on 
the  Hamming  weight  of  the  input),  but  the  specificity  of  symmetric  functions  represents 
a  threat  since  it  has  the  reputation  of  allowing  dedicated  attacks.  The  structure  of  the 
HWBF  function  is  almost  as  simple  as  that  of  symmetric  functions  but  the  fact  that,  for 
a  given  Hamming  weight  different  from  0  and  n  of  the  input,  the  output  is  non-constant 
(and  is  even  almost  balanced  in  the  case  of  Hamming  weights  near  nj 2,  that  is,  for  most 
probable  ones),  the  function  represents  a  better  tradeoff  between  robustness  and  speed. 
We  also  investigate  the  normality  and  give  some  computational  results  on  the  resistance 
of  the  HWBF  against  fast  algebraic  attacks,  revealing  that  the  HWBF  displays  good 
behavior  against  fast  algebraic  attacks. 

The  paper  is  organized  as  follows.  In  Section  2,  the  necessary  background  is  estab¬ 
lished.  We  then  investigate  the  cryptographic  properties  of  the  HWBF  in  Section  3.  We 
end  in  Section  4  with  conclusions. 


2.  Preliminaries 

Let  F£  be  the  n-dimensional  vector  space  over  the  finite  field  F2.  We  denote  by  Bn 
the  set  of  all  n- variable  Boolean  functions,  from  F£  into  F2. 

Cosets  of  vector  subspaces  are  also  called  flats.  Let  /  €  Bn  and  E  be  any  flat.  If  the 
restriction  of  /  to  E,  denoted  by  f\ e,  is  constant  (respectively  affine),  then  E  is  called  a 
constant  (respectively  affine)  flat  for  f. 

Any  Boolean  function  /  G  Bn  can  be  uniquely  represented  as  a  multivariate  polyno¬ 
mial  in  F2[#i,  •  •  •  ,  xn]. 


f(x i,...,xn)=  ^2  aK  Xk, 

A'C{l,2,...,n}  keK 


2 


which  is  called  its  algebraic  normal  form  (ANF).  The  algebraic  degree  of  /,  denoted  by 
deg (/),  is  the  number  of  variables  in  the  highest  order  term  with  nonzero  coefficient. 

A  Boolean  function  is  affine  if  there  exists  no  term  of  degree  strictly  greater  than  1 
in  the  ANF.  The  set  of  all  affine  functions  is  denoted  by  An. 

Let 

lf  =  {x€  n\f(x)  =  1},  0/  =  {i  e  F”| f(x)  =  0}, 

be  the  support  of  a  Boolean  function  /,  respectively,  its  complement.  The  cardinality 
of  If  is  called  the  Hamming  weight  of  /,  and  will  be  denoted  by  wt(f).  The  Hamming 
distance  between  two  functions  /  and  g  is  the  Hamming  weight  of  /  +  g,  and  will  be 
denoted  by  d(f,g).  We  say  that  an  n- variable  Boolean  function  /  is  balanced  if  wt(f)  = 
2n~1. 

Let  /  £  Bn.  The  nonlinearity  of  /  is  its  distance  from  the  set  of  all  n- variable  affine 
functions,  that  is, 

nl(f)  =  min  d(f,g). 

g&An 

The  nonlinearity  of  an  ?r-variable  Boolean  function  is  bounded  above  by  2"_1  —  2"/2-1, 
and  a  function  is  said  to  be  bent  if  it  achieves  this  bound.  Clearly,  bent  functions  exist 
only  for  even  n  and  it  is  known  that  the  algebraic  degree  of  a  bent  function  is  bounded 
above  by  ^  [4,  33].  The  r -order  nonlinearity ,  denoted  by  nlr(f),  is  its  distance  from  the 
set  of  all  ?r-variable  functions  of  algebraic  degrees  at  most  r. 

A  Boolean  function  f  £  Bn  is  called  k-normal  (respectively,  k-weakly-normal)  if  there 
exist  a  fc-dimensional  constant  (respectively,  affine)  flat  for  /.  If  k  =  \  "1 ,  /  is  simply 
called  a  normal  (respectively,  weakly-normal)  function. 

For  any  /  £  Bn,  a  nonzero  function  g  £  Bn  is  called  an  annihilator  of  /  if  fg  (the 
function  defined  by  fg{x)  =  f(x)g(x ))  is  null,  and  the  algebraic  immunity  of  /,  denoted 
by  AZ(f),  is  the  minimum  value  of  d  such  that  /  or  /  + 1  admits  an  annihilator  of  degree 
d  [25].  It  is  known  that  the  algebraic  immunity  of  an  n- variable  Boolean  function  is 
bounded  above  by  [”]  [11]. 

To  resist  algebraic  attacks,  a  Boolean  function  /  should  have  a  high  algebraic  im¬ 
munity,  which  implies  that  the  nonlinearity  of  /  is  also  not  very  low  since,  according  to 
Lobanov’s  bound  [24]: 


To  resist  fast  algebraic  attacks,  a  high  algebraic  immunity  is  not  sufficient.  If  we 
can  find  g  of  low  degree  and  h  of  algebraic  degree  not  much  larger  than  n/2  such  that 
fg  =  h,  then  /  is  considered  to  be  weak  against  fast  algebraic  attacks  [10,  17].  The 
higher  order  nonlinearities  of  a  function  with  high  (fast)  algebraic  immunity  is  also  not 
very  low  [3,  27,  40]. 

The  Walsh  transform  of  a  given  function  f  £  Bn  is  the  integer-valued  function  over 
F”  defined  by 

Wf(u)  =  £  (-!)/(-)+-, 

where  w  €  F?)  and  to  ■  x  is  an  inner  product,  for  instance,  w  •  x  =  u> \X\  +U2X2  +  •  •  •  +uinxn. 
It  is  easy  to  see  that  a  Boolean  function  /  is  balanced  if  and  only  if  lT/(0)  =  0.  Moreover, 
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the  nonlinearity  of  /  can  be  determined  by 


nl(f)  =  2"  1  -  \  max  |W/(w)|. 

The  autocorrelation  function  of  f  £  Bn  is  defined  by 

Cf(a )  =  (-l)f{x)+f{x+a). 

Also,  /  satisfies  the  strict  avalanche  criterion  if  C/(a)  =  0,  for  wt{a)  =  1. 

For  convenience,  we  denote  the  largest  odd  m  such  that  m  <  n  by  dn,  that  is, 

dn  =  2Lrr1J  +1. 


3.  Cryptographic  properties  of  the  hidden  weighted  bit  function 


The  hidden  weighted  bit  function  (HWBF)  [2]  in  n- variables  h  €  Bn  is  defined  as 
follows: 


I  0  if  x  =  0, 

\  Xwt(x)  otherwise. 


We  shall  use  hn  if  we  need  to  emphasize  the  number  of  variables  that  h  depends  on. 
If  we  let  h'  £  Bn  be  defined  by 


h'(X)  =  {  1  if  2;  =  (1,1,...,  1), 

y  \  Xwt(x)+ 1  otherwise, 

that  is,  h'(x  i,x%, . . .  ,xn)  =  h(x  2, . . .  ,xn,x\),  then  hn+\  is  the  concatenation  hn+ 1  = 
hn  ||  hn. 

Let  n  =  4/c  +  1.  Set  Xk+ 1  =  Xk+2  =  ...  =  x2k  =  0  and  x2k+i  =  x2k+2  =  ...  = 
Xsk+i  =  1-  Then  the  obtained  subfunction  from  hn  is  the  2fc-variable  majority  function, 
which  has  the  optimum  algebraic  immunity  k  (see  [13]). 

Theorem  1.  The  HWBF  h  is  balanced  and  has  algebraic  degree  n  —  1  (optimum  for  a 
balanced  function),  for  n  >  3. 

Proof.  Clearly, 


|U|  =  ^2  Kxl  wt(x)  =  i  and  x.t  =  1}|  =  Y" 
i= r  i—  1 

and  the  first  claim  is  proven. 

We  know  (see  e.g.  [4,  12])  that  the  coefficient  of  a  monomial  xu  =  Jir=i  XT 
the  algebraic  form  of  /  equals  Ylx<u  f(x)  (m0<i  2)  where  x  A  u  means  Xi  <  Ui  for 
i  =  1, . . . ,  n. 

We  deduce  that  the  coefficient  of  the  monomial  X\X2  ■  ■  ■  Xk-iXk+i  •  •  •  xn  (of  degree  n  —  1) 
equals  X)”  |{x|  wt(x)  =  j,  Xj  =  1  and  xk  =  0}|  =  YJi= '  (?1 1)  =  2n~2-(lZl)  (mod  2). 

In  particular,  for  k  =  n—  1,  the  coefficient  equals  1,  for  n>  3.  Hence,  deg(h)  =  n—  1.  □ 

Theorem  2.  The  HWBF  h  satisfies  the  strict  avalanche  criterion. 
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Proof.  We  need  to  prove  that  h(x)+h(x+a)  is  balanced,  for  a  =  (au, . . . ,  an),  wt(a)  =  1, 
say  =  1,  where  1  <  fc  <  n.  Since  h(x)  and  h(x  +  a)  are  both  balanced,  it  is  sufficient 
to  prove  that  \lh(x)  n  lh(x+a)\  =  2n~ 1  -  \lh{x)  n  Oh(x+a)\  =  2n_2.  Clearly,  if  xk  =  1  then 
wt{x  +  a)  =  wt(x)  —  1  and  if  Xk  =  0  then  wt(x  +  a)  =  wt(x)  +  1.  Hence,  separating  the 
cases  wt(x)  =  i<k,i  =  k,i  =  k  +  1  and  i  >  k  +  1,  we  have 


\{x\xk  =  1,  h(x)  =  h(x  +  a)  =  1} | 

k- 1 


=  E  ("Is 


i= 3 


Tl  —  2  \  v  "v 

*-2  +0+  E 

i=k+ 2 


n  —  3 
i- 3 


(since  if  i  ^  fc,  A:  +  1  for  instance,  then  wt(x)  =  i  and  wt(x  +  a)  =  i  +  1) 


=  2 71-3  - 


n  —  3 
k  —  3 


n  —  3 
fc-2 


n  —  2 
fc-2 


=  2 


n— 3 


and,  separating  the  cases  i  <  k  —  l,i  =  k  —  l,i  =  k  and  i  >  fc,  we  have 


|{rc|a;fc  =  0,  fc(x)  =  h(x  +  a)  =  1} | 
fc-2  /  „\  /  „\  n-l 


=  E 


i= 2 
->n— 3 


n  —  3 
*  -  2 


n  —  2 
fc-2 


=  2"  - 


n  —  3 
fc  —  3 


n  —  3 
fc-2 


+  0+  £ 
i=/c+l 
n  —  2 


fc-2 


n  —  3 
i  —  2 

=  2 


n— 3 


Therefore,  n  l/i(x+a)|  =2"  2,  and  the  result  follows. 


□ 


3.1.  Nonlinearity 

Lemma  1.  Let  w  =  (wi, . . . ,  w„)  €  with  wt(ui)  =  1.  Tfcen 

^H^4(rrEg21), 


and  the  bound  is  tight. 

Proof.  Let  1  <  fc  <  n  and  cc/c  =  1.  We  have 

n 

Wh (w)  =  ^(-i)M*)+-*  =  i  +  ^  ^  (_!)*.+** 

i=l  wt(x)—i 
n 

=  1  +  2"  —  1  —  2|  {a: |  wt(x)  =  *  and  Xi  +  Xk  =  1} | 

*=1 


Since 


we  have 


|{x|  wt(x) 


and  Xi  +  Xk 


if  i  =  fc  or  n, 
otherwise, 


Wh(w) 


/n  —  2 

U- 1, 
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and  the  result  follows. 


□ 


Lemma  2.  Let  u>  £  with  wt(u>)  =  k,  2  <  k  <  n  —  1.  Then 

Proof.  Let  w,;  =  1  if  i  £  {si,  S2,  ■  ■  ■ ,  s/c}-  We  have 

n 

Wh(uj)  =  1  +  ^  Yj  (-l)x'+x^+x‘i+-+x^ 

i= 1  wt(x)—i 
n 

=  2n  —  2|  wt{x)  =  z  and  Xi  +  xSl  +  xS2  +  •  •  •  +  xSk  =  1} | 

i=l 

n 

=  2"-2^|A4|, 

?:=i 

where  A,  =  {x\  wt(x)  =  i  and  Xi  +  xSl  +  xS2  +  •  •  •  +  xSk  =  1}.  Now,  we  compute  |A;| 
follows. 

We  use  the  convention  that  (£)  is  0  if  b  >  a.  If  i  ^  {si,  S2, . . . ,  Sk},  then 
/fc+l\/n— fc  —  1\  /fc  +  1\  /n  —  fc  —  1 


l^| 


v  1  J  V  i-1  J  V  3  A  i-3 

If  i  £  {si,  S2,  ■  ■  ■ ,  Sfc},  then 

k  —  1\  fn  —  k  +  1\  fk  —  1\  fn  —  k  +  1\ 


/fc  +  1\  /n  —  A:  —  1 

\  di  )\  i-  di 


1^1  = 


1 


-1 


i-3  ) 


k  —  1\  fn  —  k  +  1\ 
di  J\  i-di  )' 


Therefore,  we  have 


f>'  - .  §  g«(r-T+i) 


*^{si,S2,-..,Sfc} 


^  /fc-l\  /n-fc  +  1 

^  hi  wi  - 1  A*  -  2J  + 1 


i=  1  j 


Since 


dj  +  1 

n  — 2~ 


/  k  f  71  —  k  —  1  \ 

hi  hi  ^2j  -  ^  ^  - 2j  +  v 

yl  y.  /  fc  +  1  \  /  71  —  fc  —  1  \ 


=  E 


J=1  —  1 

/fc+l\  fe_ 


1 ,  since  n  —  2j  +  l>n  —  fc— 1 


=  2n  1 ,  since  2 


—  1  >  fc  +  1  if  n  is  odd  and,  if  n  is  even, 
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as 


then  2[~^"|—  1  =  n  —  lis  the  highest  odd  integer  <  k  +  1.  Next,  we  have 


£  w 


di+1 

n  —J— 

2”_1+  E  E^-^) 

i= 1  j=l 

iG{si,S2,...,Sfc} 

d^+1 

n  2 

2"_1-  E  E^-^), 

i= 1  j=l 

*^{si,S2,...,Sfe} 


where 


Ci 


/  fc  —  1  \  /  n  —  fc  +  1  \ 

\2j  -  1  A*  -  2;?  +  i; 


C2 


For  1  <  k  <  n  —  1 ,  let 


/  /c  T  1  \  /  n  —  k  —  1  \ 

\2j  -  V  V*-2j  +  l/ 


S'fc  =  max  |  { 


E 


<^  +  1 
2 


E  (C'i  -  C'2)}|- 


i=  1  j  =  1 

*e{ai,«2, ■••,«*} 


It  is  easy  to  verify  that  Sk  =  Sn-k  and  Sk  decreases  initially  and  then  increases.  That 
is,  Sk  achieves  the  maximum  value  when  k  =  1  and  achieves  the  minimum  value  when 
k  =  [§].  Hence,  by  Lemma  1, 


Sk  <  2 


Therefore, 


2n~1  —  2 


n  —  2 

rAi 


<Ei^i  ^ 2" 


and  the  result  follows. 


□ 


Lemma  3.  Let  uj  €  with  wt(uj)  =  n.  Then  Wh{w )  =  0. 
Proof.  We  have 


Wh{u) 


n 

i  +  E  E  ^_^Xi+Xl+X2-\ - 1-  Xn 

i= 1  wt(x)=i 
n 

2n  —  2|  wt(x)  =  i  and  X\  d - +  Xj_i  +  xi+\  H —  •  +  xn  =  1} | 

i=l 


0. 


□ 
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Theorem  3.  If  h  is  the  HWBF  defined  on  F£ ,  then 


nl(h)  =  2"-1  —  ■ 

Proof.  By  Lemmas  1-3  we  have 

m„|H'»M|=4(rnya21), 

and  the  result  follows. 

Remark  1.  For  n  odd, 


□ 


which  is  exactly  Lobanov’s  bound  on  the  nonlinearity  for  n-variable  functions  with  op¬ 
timum  algebraic  immunity  (albeit  the  HWBF  function  does  not  have  optimal  algebraic 
immunity) . 


3.2.  Algebraic  immunity 

The  algebraic  immunity  of  the  HWBF  is  a  non- decreasing  sequence  of  n. 

To  prove  this,  let  us  first  recall  a  known  result: 

Lemma  4  (Proposition  1  of  [6]).  Let  f ,  g  be  two  Boolean  functions  in  the  variables 
x\,  ...,xn  with  AL(f)  =  AI(g)  =  d,  and  let  h  =  (1  +  xn+i)f  +  xn+\g  £  Bn+ 1.  Then 
d  <  AL{h)  <  d  +  1. 

Note  that  we  know  also  from  [6]  that  AX(h)  =  d  if  and  only  if  there  exists  f\,g\  £  Bn 
of  algebraic  degree  d  such  that  {/  •  f\  =  0,  g  ■  g\  =  0}  or  {(1  +  /)  •  /i  =  0,  (1  +  g)  ■  g\  =  0} 
and  deg(/i  +gi)  <  d—  1,  but  we  shall  not  need  to  use  it  here.  Clearly,  AZ{hn)  =  AZ{h'n). 
Lemma  4  immediately  implies  the  next  result. 

Lemma  5.  We  have  AI(hn+i )  >  AI{hn). 

We  next  bound  the  algebraic  immunity  from  below. 

Theorem  4.  We  have 

AX(hn)  >  — J  +  1. 

Proof.  We  show  that,  if  h ■  g  =  0  or  (h  + 1)  •  g  =  0  for  g  £  Bn  such  that  deg(g)  <  d  =  |_f  J , 
then  5  =  0. 

We  first  assume  that  (h  +  1)  •  g  =  0.  Let 

9=  ^2  aK\\_xk. 

KC{l,2,...,n}  kdK 
\K\<d 

Then  g{x)  =  0,  for  any  x  such  that  h(x)  =  0.  We  denote  a@  by  a o  and  a^ilt  by 

0-1112. ..ik  ■ 
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Since  <7(0,...,  0)  =  0,  we  have  a0  =  0.  Since  5(0, 1,  0, . . . ,  0)  =  0  then  a2  =  0. 
Similarly,  we  have  <23  =  . . .  =  an  =  0.  Since  g(0, 0, 1, 1, 0, . . . ,  0)  =  0  then  (I34  =  0. 
Similarly,  we  have  <235  =  . . .  =  a„_ \,n  =  0. 

In  general,  let  wt( x)  =  i,  x\  =  x2  =  ■  ■  ■  =  Xi  =  0  and  xSl  =  xS2  =  . . .  =  xSi  =1, 
where  i  +  1  <  s\  <  s2  <  . . .  <  Si  <  n.  Then  h(x)  =  Xi  =  0.  Therefore,  g{x)  =  0; 
moreover,  g(y)  =  0  for  every  y  -<  x;  then  aSl,S2>...,Si  =  0.  Hence,  we  obtain 

g{x)  =  aixi 

+  a\2XiX2  +  ■  ■  ■  +  ainXiXn  +  a2^x2X3  +  ■  ■  ■  +  a2nx2xn 
(i.e.  the  degree  2  terms  containing  x\  or  x2) 

T  Oi23XiX2X3  T  '  '  '  d-  ^3,n—  l%n 

(i.e.  the  degree  3  terms  containing  £1,2:2,  or  2:3) 

+  •  •  • 

d-  ai2...d2:i2;2  *  *  *  X d  T  *  *  *  d"  ad,,n-d+2,...,n%d'En—dJt-2  '  '  *  2 'n- 

(i.e.  the  degree  n  terms  containing  2:1,  or  2:2, ... ,  or  Xd ) 

The  following  Claims  2-4  will  prove  that  all  these  coefficients  of  g  must  be  0.  In  the 
proof,  the  following  Claim  1  will  be  frequently  used. 

Claim  1:  For  k  >  1;  i  >  k  and  ?  +  l<si<S2<...<  s,;_i  <  n,  we  have 

Ok,Sl,S2,...,Si  —  1  —  ^  '  Ok,J  • 

IJI=fc-l 

In  particular,  a13  =  . . .  =  oln  =  ai34  =  . . .  =  ai,n_d+2,...,n  =  Oi- 

Proof:  Since  g(  1,  0, 1, 0, ...  0)  =  0,  we  have  <213  =  a\.  Similarly,  <214  =  . . .  =  ain  =  a\. 
In  general,  let  wt(x )  =  i  >  1,  x\  =  xSl  =  xS2  =  ...  =  xSi_1  =  1,  where  i  +  1  <  Si  < 
S2  <  ...  <  Si-i  <  n.  Then  h(x)  =  Xi  =  0.  Therefore,  g(x)  =  0  and  by  induction, 

al,Sl,S2,..-,Si-l  ~  al  +  ffll.Si  d - -  +  al,S;_i  +  al,Sl,S2  +  '  '  '  +  dl, Si-2, Si-!  +  - - f  ®1  ,S2  ,. . .  ,Si- 1  = 

«i  +  ai  +  •  •  •  +  Oi  =  oi,  since  (‘(j1)  +  G^1)  +  •  •  •  +  (lZ2)  =  2*_1  —  1.  Consider  x  = 
(0, 1, 0, 1, 1,  0, ... ,  0).  Then  h( x)  =  X3  =  0.  Therefore,  g(x)  =  0  and  (Z245  =  024  +  025. 
In  general,  let  wt(x)  =  i  >  2,  x2  =  xSl  =  xS2  =  ...  =  xSi_ 1  =  1,  where  i  +  1  < 
si  <  s2  <  ...  <  Si_i  <  n.  Then  h(x)  =  Xi  =  0.  Therefore,  g( x)  =  0  and  by  induction, 

a2,si,s2,...,Si-i  =  a2,S!  +a2,s2  +  '  '  ■  +a2,Si_i  +  a2,si,s2  +  '  '  '  +  a2,Si_2 ,s;_i  +  '  ’  ‘  +  02,s2,...,Si_i  = 

0-2, sx  +  •  •  •  +  <22, si-ii  since  a2,Sl,S2,..,,S:j  +  •  •  •  +  o2,Si_:j,,,,,Si_1  =  (*_i)(o2,s1  +  •  •  •  +  a2,Si_1) 
and  (Jq2)  +  (*^2)  +  •  • '  +  GI3)  =  ~  1-  In  general,  let  wt( x)  =  i  >  k,  Xk  =  xSl  = 

xS2  =  ...  =  xSi_1  =  1,  where  *  +  l<si<S2<...<  Sj-i  <  n.  Then  h(x)  =  Xi  =  0. 
Therefore,  g{x)  =  0  and  by  induction  the  claim  follows. 

Claim  2:  For  1  <  k  <  d  and  d+l<Si<S2<...<  Sk-i  <  n,  we  have 

Ok,S!,S2,...,Sk  —  i  b.  That  is,  Ui  a2,d+l  —  *  a2^n  —  a3’d,+  l, d+2  —  ‘  —  Od,,n—d+2,...,n  — 

0. 

Proof:  For  k  =  1,  consider  x  =  (1, 0, . . . ,  0, 1 . . . ,  1)  such  that  wt( x)  =  d+  1  and 
xn-d+i  =  •  •  •  =  xn  =  1.  Since  d  =  |_§ Ji  we  have  d  +  1  <  n  —  d.  Then  we  have 
h(l,  0, . . . ,  0, 1, . . . ,  1)  =  2:^+1  =  0  and  therefore  g(l,  0, . . . ,  0, 1, . . . ,  1)  =  0.  That  is, 

ai+dyn-d+iH - hain  +  oi,n_d+i,n_d+2H - hai,n-d+2,...,n  =  0.  Then  by  Claim  1,  cn  = 

0.  For  k  =  2,  consider  the  points  (0, 1,  0, . . . ,  0, 1, . . . ,  1)  and  (0, 1,  0, . . . ,  0, 1, . . . ,  1,  0)  with 
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weight  d  +  1.  Clearly,  h(x)  =  0  at  these  two  points.  Then  g(x)  =  0,  and  by  Claim  1  we 

have  a2,n-d+ l  H - 1-  a2,n  =  a2,n-d  H - 1-  a2,n-i-  That  is,  a2j7l_d  =  o2>n.  Similarly,  we 

have  a2jd+i  =  a2id+2  =  . . .  =  a2j„.  Let  d  <  w  <  n  and  —  1  be  odd.  Consider  a  point 
(xi,x2,  •  ■  •  ,%n)  °f  weight  w  satisfying  x2  =  1,  xw  =  0  and  x^  =  x*2  =  . . .  =  x^^  =  1, 
where  d  +  1  <  t\  <  t2  <  . . .  <  tw- 1  <  n.  Then  g(xi, . . .  ,xn)  =  0  and  a2j1  =  0.  For 
2  <  k  <  d,  consider  all  those  points  (xi,  x2, . . . ,  xn)  of  weight  d+  1  satisfying  Xk  =  1  and 
Xtj  =  xt2  =  . . .  =  xtd  =  1,  where  n  —  2d  +  2  <  t\  <  t2  <  . . .  <  td  <  n.  Clearly,  h(x)  =  0 
at  all  these  points,  since  d  +  1  <  n  —  2d  +  2  (i.e.  3d  <  n).  Therefore,  g(x)  =  0  and 
we  get  a  system  of  equations.  Then  by  Claim  1  we  have  ak,n-2d+2,n-2d+3,...,n-2d+k  = 
. . .  =  dk,n-k+2,n-k+3,...,n  (in  fact,  we  get  a  system  of  (2dd~1)  equations  with  vari¬ 

ables;  in  particular,  taking  k  =  d,  we  get  a  system  of  ( 2d d_1)  equations  with  (2ff~11) 
variables.  It  is  easy  to  verify  that  the  system  has  at  most  two  solutions  (0,0,...,  0)  and 
(1,1,...,  1)).  Then  we  can  deduce  easily  that  ak,d+i,...,d+k-i  =  ■■■  =  ak,n-k+2,n-k+3,...,n- 
Let  d  <  w  <  n  and  (((’“*)  be  odd.  Consider  a  point  (xi,  x2, . . . ,  xn)  of  weight  w  satisfying 
Xfc  =  1,  xw  =  0  and  xtl  =  xt2  =  ...  =  xtw_1  =  1,  where  d+1  <t\<t2<...<  tw_\  <  n. 
Then  g{x i, . . . , xn)  =  0  and  ak,t.1,t2,...,tk_1  =  0,  and  the  claim  follows. 

Claim  3:  For  2  <  k  <  d  and  r  <  k,  we  have  i,...,sfc_2  =  ar,k  —  0,  where 
d  +  1  <  si  <  . . .  <  Sk~2  <  n. 

Proof:  Similar  to  Claim  1,  for  2  <  k  <  d  and  r  <  k,  we  have 

k,si  ,S2 ,  ■ . .  ,Si  —  2  &r,k  T  &r,k:J , 

|J|=fc— 2 
JC{si,...,si_2} 

where  i  >  k  and  *  +  l<Si<s2<...<  s*_  i  <  n.  For  k  —  2,  consider  x  = 
(1, 1, 0, . . . ,  0, 1, . . . ,  1)  such  that  wt(x)  =  d  +  1  and  xn-d+2  =  •  •  •  =  xn  =  1.  Then 
g(x)  =  0  and  ai2  +  aij2jn-d+2  +  •  •  •  +  Ul,2,n  +  dl,2,n-d+2,n-d+3  +  '  '  ’  +  dl,2,n-d+3,...,n  = 
®12  +  Oi2  +  •  •  ■  +  «i2  =  ai2  =  0.  For  2  <  k  <  d,  similar  to  the  proof  of  Claim  2,  we  can 
deduce  the  result. 

Claim  4:  Let  1  <  u  <  d—  1.  By  induction,  for  u+1  <  k  <  d  and  0  <  t*i  <  . . .  <  ru  <  k, 
we  have  ar1,...,ru,fc,s1,...,sfc_u_1  =  aTl  =  0,  where  d+l<si<s2<...<  Sk-U- 1  < 

n. 

Proof:  Similar  to  Claim  1,  we  have 


,...,rw ,fc,si  ,S2 ®ri,...,ru,k  T 


E 


|  J\  —k—u—  1 
JC{Sl,...,Si} 

where  i  >  k  —  u  —  1  and  d+l<si<s2<...<  s,;_i  <  n.  Consider  x  =  (xi, . . . ,  xn) 
such  that  wt{x)  =  d  +  1,  Xi  =  •••  =  xM+i  =  1  and  xn-d+u+ 1  =  =  xn  =  1. 

Then  g(x)  =  0  and  by  induction,  +  ai,...,«+i,»j-(i+„+i  +  •  ■  •  +  alt...tU+  + 

®l,...,u+l,n-d+u+l,n-d+«+2  +  '  '  '  +  GU,...,u+l,ra-<i+u+2,...,ra  =  CH,...,«+1  +  CH,...,u+l  +  •  •  •  + 

a i,...,u+i  =  ui,...,m+i  =  0.  For  u  +  1  <  k  <  d,  similar  to  the  proof  of  Claim  2,  we  can 
deduce  the  result. 

Therefore,  for  u  +  1  <  k  <  d  and  0  <  rq  <  . . .  <  ru  <  k,  we  have  <Jr1,...,r„,k,s1,...,ai  =  0, 
where  i  >  k  —  u  —  1  and  d  +  1  <  Si  <  s2  <  . . .  <  <  n.  That  is,  g  =  0  and  h  +  1  has  no 
annihilator  of  degree  at  most  d. 

Now  consider  h  ■  g  =  0.  Let  h(x i, . . .  ,x„)  =  h{x\  +  1,  x2  +  1, . . . ,  xn  +  1).  It  is 
easy  to  verify  that  h(x i, . . . ,  xn)  =  h{xn-\,  xn_2,  •  ■  • ,  xi,x„)  +  1.  By  the  above  proof, 
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Table  1:  Algebraic  Immunity  of  the  HWBF 


n 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

AL 

3 

3 

4 

4 

4 

5 

5 

5 

5 

6 

Table  2:  Behavior  of  the  HWBF  against  Fast  Algebraic  Attacks 


n 

6 

7 

8 

9 

10 

11 

12 

13 

(d,  e) 

(1,3) 

(1,5) 

(1,5) 

(1,7) 

(1,7) 

(1,9) 

(1,9) 

(1,11) 

(2,3) 

(2,4) 

(2,4) 

(2,5) 

(2,6) 

(2,8) 

(2,8) 

(2,9) 

(3,4) 

(3,4) 

(3,5) 

(3,6) 

(3,6) 

(3,8) 

(4,5) 

(4,5) 

(4,6) 

h(xi, . . . ,  xn)  has  no  annihilator  of  degree  at  most  d.  Therefore,  h(x  i,...,xn)  has  no 
annihilator  of  degree  at  most  d,  and  the  result  follows.  □ 

In  Table  1,  we  give  the  exact  algebraic  immunity  of  the  n-variable  HWBF,  for  6  < 
n  <  15. 

Next,  we  investigate  the  normality  of  the  HWBF. 

Theorem  5.  The  HWBF  h  €  Bn  is  a  [f  j  -normal  function. 

Proof.  Let  x  £  ¥%  and  x\  =  #2  =  ■  •  ■  =  x\%~\  =  0.  Then  wt(x)  <  n  —  <  [|],  and 

h(x)  =  0.  Let  Ei  =  {(0, . . . ,  0, a;p]+i, . . .  ,xn)}.  It  is  a  |_§J -dimensional  subspace  of  . 
Clearly,  H\e1  =  0,  and  h  is  an  |_§  ] -normal  function.  □ 

Resistance  to  fast  algebraic  attacks. 

Let  deg(<7i)  =  d  <  AX(h)  and  h  ■  g\  =  <72-  We  expect  that  deg(<72)  is  as  high  as 
possible  for  any  g\  of  low  degree.  The  optimum  case  for  a  Boolean  function  to  resist  fast 
algebraic  attacks  is  that  deg(<?i)  +  deg(<72)  >  n  for  any  g\  of  degree  less  than  AI(h).  Let 
deg((/2)  =  e.  For  6  <  n  <  13,  in  Table  2,  we  give  the  lowest  possible  values  of  (d,  e), 
which  seems  to  be  quite  acceptable. 

There  are  some  other  variants  of  algebraic  attacks.  In  [39],  the  authors  introduced 
the  higher  order  algebraic  attack,  with  applications  towards  cryptanalysis  of  Carlet- 
Feng  functions  and  rotation  symmetric  Boolean  functions.  However,  those  attacks  do 
not  work,  since  in  practice  the  number  of  variables  of  the  filter  function  is  much  less 
than  the  length  of  the  LFSR.  In  [15],  algebraic  attacks  on  the  augmented  function  are 
introduced,  which  are  dependant  on  low-degree  conditional  equations.  Given  a  Boolean 
function  with  a  large  number  of  variables  and  good  algebraic  immunity,  it  is  hard  to  find 
a  low-degree  equation.  Therefore,  higher  order  algebraic  attacks  and  algebraic  attacks 
on  the  augmented  function  can  not  pose  a  security  threat  to  the  HWBF. 
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Table  3:  Algebraic  immunity  and  nonlinearity  of  some  randomly  selected  10- variable  Boolean  functions 


AX 

5 

5 

5 

5 

5 

5 

5 

5 

5 

5 

5 

5 

nl 

458 

452 

456 

448 

452 

466 

462 

456 

450 

442 

462 

458 

Summary  of  the  features  of  the  function:.  While  the  HWBF  is  as  simple  as  a  symmetric 
function  (in  the  sense  that  the  complexity  of  computing  the  output  of  HWBF  is  almost  as 
low  as  for  a  symmetric  function),  its  BDD  size  is  considerably  higher,  which  has  an  inter¬ 
est  for  cryptography.  Symmetric  functions  are  considered  dangerous  by  the  cryptographic 
community,  since  an  attacker  could,  in  theory,  use  the  symmetry  property.  In  fact,  an  n 
variable  symmetric  Boolean  function  has  a  BDD  of  size  0(n2)  [19],  and  therefore  is  weak 
against  BDD-based  attacks.  Moreover,  many  symmetric  functions  are  not  balanced  and 
there  is  no  even-variable  balanced  symmetric  function  with  optimum  algebraic  immunity 
for  n  >  4.  The  nonlinearity  of  the  HWBF  is  similar  to  that  of  a  symmetric  function  with 
optimum  algebraic  immunity.  It  does  not  have  the  weakness  of  a  symmetric  function  but 
it  has  the  same  nice  quality  of  being  efficiently  implementable  in  hardware,  which  allows 
taking  n  much  larger,  thus  increasing  the  strength  of  its  cryptographic  properties. 

Comparing  with  a  randomly  selected  balanced  Boolean  function,  the  algebraic  immu¬ 
nity  and  nonlinearity  of  this  function  may  be  low.  In  fact,  when  n  =  10,  AX{h)  =  4  and 
nl(h)  =  372.  We  can  generate  128  pseudo  random  different  integers  between  1  and  256 
and  get  a  Boolean  function  whose  truth  table  has  the  value  1  in  these  128  positions.  Using 
this  method,  we  generated  64  randomly  selected  balanced  Boolean  functions.  All  these 
functions  have  the  optimum  algebraic  immunity  5  and  their  nonlinearities  are  between 
442  and  466.  Algebraic  immunity  and  nonlinearity  of  the  first  12  generated  functions 
can  be  found  in  Table  3.  It  is  known  that  most  of  Boolean  functions  have  almost  optimal 
algebraic  immunity  and  a  nonlinearity  close  to  2n~1  —  2"/2_1v/2nln2  [32],  for  n  large 

enough.  As  a  comparison,  the  nonlinearity  of  HWBF  is  only  around  2n_1  —  2"~1^/^, 
quite  far  away  from  that  number. 

For  the  same  number  of  variables  ?r,  the  algebraic  immunity  and  nonlinearity  of 
the  HWBF  are  certainly  lower  than  for  other  optimal  functions,  such  as  the  Carlet-Feng 
function  [7].  However,  since  the  HWBF  is  very  simple  and  can  be  implemented  efficiently 
in  hardware  (which  is  the  most  important  framework  for  us,  since  LFSR  are  better  suited 
for  hardware  implementation),  we  can  use  the  HWBF  with  many  more  variables.  In  fact, 
the  time  complexity  of  computing  the  output  to  the  Carlet-Feng  function  is  similar  to 
the  complexity  of  computing  the  discrete  log,  which  requires  exponential  time  when 
viewed  asymptotically,  e.g.  using  the  index  calculus  method  [9],  the  time  complexity  is 
0(exp((1.587  +  0(1 ) (n1/3 (In n)2^3)) ,  while  the  output  of  the  HWBF  can  be  computed 
only  in  linear  time  (in  fact,  the  number  of  ones  can  even  be  counted  in  logarithmic  time 
using  the  parallel  algorithm  [18]).  As  for  the  space  complexity,  using  Pohlig-Hellman 
method,  the  20-variable  Carlet-Feng  function  allows  computing  one  output  bit  per  cycle 
with  more  than  1000  half-adders  and  full-adders.  In  comparison,  the  64-variable  HWBF 
allows  computing  one  output  bit  with  only  26  —  1  =  63  half-adders  and  26  —  6  —  1  =  57 
full-adders  [16].  Therefore,  by  the  time  and  space  complexity,  we  compare  the  16- variable 
Carlet-Feng  function  with  the  256-variable  HWBF  and  give  an  example  as  follows. 
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Example  1:  Let  fc  €  B1&  be  the  Carlet-Feng  function  discussed  by  [37].  Then 
deg (/c)  =  15,  AI(fc)  =  8  and  nl(fc)  =  32530.  Let  ft  =  h2 56  +  £2572258  +  £2592260 + 
£2612262  +  £2632264  +  ^265*266  +  £2672268  +  £2692270  +  x271x272  (we  take  this  function  ft., 
since  its  efficiency  of  the  implementation  is  similar  to  that  of  h2$6,  while  it  has  better 
cryptographic  properties).  Then  deg(ft)  =  255,  AL{h)  >  AL(h)  >  86  and  nl{h )  = 
22 '  i  —  29  (^27)  (it  should  be  noted  that  the  resistance  to  the  fast  algebraic  attack  of  ft  is 
also  better  than  that  of  ft  since  if  h  *  g±  =52,  then  h*  g  1  =  g2  +  (£2572258  +  £2592260  + 
£26l£262  +£263£264  +  £265£266+£267£268+£269£270  +£27l£272)*ffl)-  Recall  that  the  fast 
correlation  attack  has  an  on-line  complexity  proportional  to  (f)  ,  where  e  =  f  —  r^p- 
is  the  so-called  bias  [26] .  The  algebraic  attack  has  an  on-line  complexity  proportional  to 
NuAi(f) ;  -y^hej-e  _/v  js  the  length  of  the  register  and  u>  s=s  2.37  (see  e.g.  [17]).  Therefore, 
the  bias  of  fc  is  e  =  0.0036,  while  the  bias  of  ft.  is  e  =  0.0001.  As  for  the  algebraic  attack, 
fc  has  an  on-line  complexity  proportional  to  IV18-96,  while  the  algebraic  attack  on  ft.  has 
an  on-line  complexity  proportional  to  jV203  82.  Moreover,  for  any  ordering  of  variables, 
BDD(h)  >  251  [19],  while  BDD(fc )  <  215.  Therefore,  the  cryptographic  properties  of  ft 
are  much  better  than  those  of  fc. 

Concerning  the  resistance  to  fast  algebraic  attacks,  it  is  more  difficult  to  make  com¬ 
parisons  since  the  known  algorithms  do  not  allow  investigating  large  enough  values  of  n; 
however,  it  seems  most  probable  that  the  HWBF  function  in  a  large  number  of  variables 
allows  better  resistance  than  the  other  known  functions  with  good  algebraic  immunity. 

4.  Conclusion 

This  paper  investigates  some  cryptographic  properties  of  the  HWBF.  To  summarize, 
the  HWBF  is  balanced,  has  optimum  algebraic  degree  and  satisfies  strict  avalanche  cri¬ 
terion.  The  algebraic  immunity  is  at  least  |_§ J  +  1-  The  function  seems  to  have  quite 
acceptable  behavior  against  fast  algebraic  attacks,  as  can  be  checked  for  small  values  of 
n.  It  also  has  a  high  BDD  size.  Since  the  HWBF  can  be  implemented  very  efficiently, 
it  can  be  used  with  a  number  of  variables  much  larger  than  the  other  known  functions 
with  good  algebraic  immunity;  this  allows  reaching  very  good  cryptographic  properties 
implying  high  resistance  of  the  stream  ciphers  using  it  as  a  filter  to  the  main  attacks, 
and  in  the  same  time  high  speed  of  these  ciphers.  The  HWBF  is  therefore  a  very  good 
candidate  for  being  used  in  the  design  of  stream  ciphers;  indeed,  very  few  functions  have 
been  found  so  far  which  can  allow  resistance  to  all  the  main  known  attacks,  and  except 
this  one,  none  of  them  is  very  efficiently  implementable. 
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